zaproxy · kingthorin · Nov 5, 2025 · Nov 5, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,12 +14,16 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Update minimum ZAP version to 2.16.0 and compile with Java 17.
 - Add cautionary note to help and readme.
 - Maintenance and documentation changes.
+- Active and passive READMEs to include lastest JS script examples.
 
 ### Fixed 
 - The following scripts were not being loaded as scan rules:
   - active/SSTI.js
   - passive/Mutliple Security Header Check.js
 
+### Removed
+- Links to videos which no longer exist.
+
 ## [19] - 2024-07-01
 ### Added
 - extender/arpSyndicateSubdomainDiscovery.js - uses the API of [ARPSyndicate's Subdomain Center](https://www.subdomain.center/)

diff --git a/README.md b/README.md
@@ -38,7 +38,4 @@ in the main directory of the project, the add-on will be placed in the directory
 
 ## Official Videos
 
-* [ZAP In Ten: Introduction to Scripting](https://play.sonatype.com/watch/7gR4qYzUZ686wEDMBfxGdf) (9:33)
 * [ZAP Deep Dive: Scripting ZAP](https://www.youtube.com/watch?v=ujL6rH6nVXI) (28:34)
-
-Note that there are videos for some of the specific script types linked from the relevant READMEs.
diff --git a/active/README.md b/active/README.md
@@ -9,18 +9,47 @@ These detect potential vulnerabilities by actively attacking the target, run as
 // Note that new active scripts will initially be disabled
 // Right click the script in the Scripts tree and select "enable"  
 
+const ScanRuleMetadata = Java.type("org.zaproxy.addon.commonlib.scanrules.ScanRuleMetadata");
+
+function getMetadata() {
+	return ScanRuleMetadata.fromYaml(`
+id: 12345
+name: Active Vulnerability Title
+description: Full description
+solution: The solution
+references:
+  - https://www.example.org/reference1
+  - https://www.example.org/reference2
+category: INJECTION  # info_gather, browser, server, misc, injection
+risk: INFO  # info, low, medium, high
+confidence: LOW  # false_positive, low, medium, high, user_confirmed
+cweId: 0
+wascId: 0
+alertTags:
+  name1: value1
+  name2: value2
+otherInfo: Any other Info
+status: alpha
+alertRefOverrides:
+  12345-1: {}
+  12345-2:
+    name: Active Vulnerability - Type XYZ
+    description: Overridden description
+`);
+}
+
 /**
  * Scans a "node", i.e. an individual entry in the Sites Tree.
  * The scanNode function will typically be called once for every page. 
  * 
  * @param as - the ActiveScan parent object that will do all the core interface tasks 
  *     (i.e.: sending and receiving messages, providing access to Strength and Threshold settings,
- *     raising alerts, etc.). This is an ScriptsActiveScanner object.
+ *     raising alerts, etc.). This is an ActiveScriptHelper object.
  * @param msg - the HTTP Message being scanned. This is an HttpMessage object.
  */
 function scanNode(as, msg) {
-	// Debugging can be done using println like this
-	print('scan called for url=' + msg.getRequestHeader().getURI().toString());
+	// Debugging can be done using print like this
+	print('scanNode called for url=' + msg.getRequestHeader().getURI().toString());
 
 	// Copy requests before reusing them
 	msg = msg.cloneRequest();
@@ -49,19 +78,33 @@ function scanNode(as, msg) {
 	}
 }
 
+/**
+ * Scans a host.
+ * The scanHost function will be called once per host being scanned.
+ * @param as - the ActiveScan parent object that will do all the core interface tasks
+ *     (i.e.: sending and receiving messages, providing access to Strength and Threshold settings,
+ *     raising alerts, etc.). This is an ActiveScriptHelper object.
+ * @param msg - the HTTP Message being scanned. This is an HttpMessage object.
+ */
+function scanHost(as, msg) {
+	// Debugging can be done using print like this
+	const uri = msg.getRequestHeader().getURI();
+	print(`scanHost called for host=${uri.getHost()}` + (uri.getPort() !== -1 ? `:${uri.getPort()}` : ""));
+}
+
 /**
  * Scans a specific parameter in an HTTP message.
  * The scan function will typically be called for every parameter in every URL and Form for every page.
  * 
  * @param as - the ActiveScan parent object that will do all the core interface tasks 
  *     (i.e.: sending and receiving messages, providing access to Strength and Threshold settings,
- *     raising alerts, etc.). This is an ScriptsActiveScanner object.
+ *     raising alerts, etc.). This is an ActiveScriptHelper object.
  * @param msg - the HTTP Message being scanned. This is an HttpMessage object.
  * @param {string} param - the name of the parameter being manipulated for this test/scan.
  * @param {string} value - the original parameter value.
  */
 function scan(as, msg, param, value) {
-	// Debugging can be done using println like this
+	// Debugging can be done using print like this
 	print('scan called for url=' + msg.getRequestHeader().getURI().toString() + 
 		' param=' + param + ' value=' + value);
 
@@ -76,21 +119,11 @@ function scan(as, msg, param, value) {
 
 	// Test the response here, and make other requests as required
 	if (true) {	// Change to a test which detects the vulnerability
-		// risk: 0: info, 1: low, 2: medium, 3: high
-		// confidence: 0: falsePositive, 1: low, 2: medium, 3: high, 4: confirmed
-		as.newAlert()
-			.setRisk(1)
-			.setConfidence(1)
-			.setName('Active Vulnerability title')
-			.setDescription('Full description')
+        // Call newAlert() if you're not using alertRefOverrides
+		as.newAlert("12345-1")
 			.setParam(param)
 			.setAttack('Your attack')
 			.setEvidence('Evidence')
-			.setOtherInfo('Any other info')
-			.setSolution('The solution')
-			.setReference('References')
-			.setCweId(0)
-			.setWascId(0)
 			.setMessage(msg)
 			.raise();
 	}
@@ -111,8 +144,3 @@ function scan(as, msg, param, value) {
 * Jruby : [Active default template.rb](https://github.com/zaproxy/zap-extensions/blob/main/addOns/jruby/src/main/zapHomeFiles/scripts/templates/active/Active%20default%20template.rb)
 * Jython : [Active default template.py](https://github.com/zaproxy/zap-extensions/blob/main/addOns/jython/src/main/zapHomeFiles/scripts/templates/active/Active%20default%20template.py)
 * Zest : [Active default template.zst](https://github.com/zaproxy/zap-extensions/blob/main/addOns/zest/src/main/zapHomeFiles/scripts/templates/active/Active%20default%20template.zst)
-
-
-## Official Videos
-
-[ZAP In Ten: Active Scan Scripts](https://play.sonatype.com/watch/aEwqErXFMTYdDDQbTgnJeA) (11:38)
diff --git a/httpsender/README.md b/httpsender/README.md
@@ -52,6 +52,3 @@ function responseReceived(msg, initiator, helper) {
 * Jython : [HttpSender default template.py](https://github.com/zaproxy/zap-extensions/blob/main/addOns/jython/src/main/zapHomeFiles/scripts/templates/httpsender/HttpSender%20default%20template.py)
 * Zest : [HttpSender default template.zst](https://github.com/zaproxy/zap-extensions/blob/main/addOns/zest/src/main/zapHomeFiles/scripts/templates/httpsender/HttpSender%20default%20template.zst)
 
-## Official Videos
-
-[ZAP In Ten: Proxy and HttpSender Scripts](https://play.sonatype.com/watch/4no8EY1iB8RdnQLPFpYi2a) (10:14)
diff --git a/passive/README.md b/passive/README.md
@@ -11,7 +11,35 @@ These detect potential vulnerabilities by passively analysing traffic to and fro
 // Note that new passive scripts will initially be disabled
 // Right click the script in the Scripts tree and select "enable"  
 
-var PluginPassiveScanner = Java.type("org.zaproxy.zap.extension.pscan.PluginPassiveScanner");
+const PluginPassiveScanner = Java.type("org.zaproxy.zap.extension.pscan.PluginPassiveScanner");
+const ScanRuleMetadata = Java.type("org.zaproxy.addon.commonlib.scanrules.ScanRuleMetadata");
+
+function getMetadata() {
+	return ScanRuleMetadata.fromYaml(`
+id: 12345
+name: Passive Vulnerability Title
+description: Full description
+solution: The solution
+references:
+  - https://www.example.org/reference1
+  - https://www.example.org/reference2
+risk: INFO  # info, low, medium, high
+confidence: LOW  # false_positive, low, medium, high, user_confirmed
+cweId: 0
+wascId: 0
+alertTags:
+  name1: value1
+  name2: value2
+otherInfo: Any other info
+status: alpha
+alertRefOverrides:
+  12345-1: {}
+  12345-2:
+    name: Passive Vulnerability - Type XYZ
+    description: Overridden description
+`);
+}
+
 
 /**
  * Passively scans an HTTP message. The scan function will be called for 
@@ -20,7 +48,7 @@ var PluginPassiveScanner = Java.type("org.zaproxy.zap.extension.pscan.PluginPass
  * 
  * @param ps - the PassiveScan parent object that will do all the core interface tasks 
  *     (i.e.: providing access to Threshold settings, raising alerts, etc.). 
- *     This is an ScriptsPassiveScanner object.
+ *     This is a PassiveScriptHelper object.
  * @param msg - the HTTP Message being scanned. This is an HttpMessage object.
  * @param src - the Jericho Source representation of the message being scanned.
  */
@@ -29,22 +57,14 @@ function scan(ps, msg, src) {
 	if (true) {	// Change to a test which detects the vulnerability
 		// risk: 0: info, 1: low, 2: medium, 3: high
 		// confidence: 0: falsePositive, 1: low, 2: medium, 3: high, 4: confirmed
-		ps.newAlert()
-			.setRisk(1)
-			.setConfidence(1)
-			.setName('Passive Vulnerability title')
-			.setDescription('Full description')
+        // Call newAlert() if you're not using alertRefOverrides
+		ps.newAlert("12345-1")
 			.setParam('The param')
 			.setEvidence('Evidence')
-			.setOtherInfo('Any other info')
-			.setSolution('The solution')
-			.setReference('References')
-			.setCweId(0)
-			.setWascId(0)
 			.raise();
 
-		//addTag(String tag)
-		ps.addTag('tag')			
+		//addHistoryTag(String tag)
+		ps.addHistoryTag('tag')
 	}
 
 	// Raise less reliable alert (that is, prone to false positives) when in LOW alert threshold
@@ -84,6 +104,4 @@ function appliesToHistoryType(historyType) {
 * Jython : [Passive default template.py](https://github.com/zaproxy/zap-extensions/blob/main/addOns/jython/src/main/zapHomeFiles/scripts/templates/passive/Passive%20default%20template.py)
 * Zest : [Passive default template.zst](https://github.com/zaproxy/zap-extensions/blob/main/addOns/zest/src/main/zapHomeFiles/scripts/templates/passive/Passive%20default%20template.zst)
 
-## Official Videos
 
-[ZAP In Ten: Passive Scan Scripts](https://play.sonatype.com/watch/HfENJ3GJB3zbD6sMscDrjD) (11:55)
diff --git a/proxy/README.md b/proxy/README.md
@@ -55,8 +55,3 @@ function proxyResponse(msg) {
 * Jython : [Proxy default template.py](https://github.com/zaproxy/zap-extensions/blob/main/addOns/jython/src/main/zapHomeFiles/scripts/templates/proxy/Proxy%20default%20template.py)
 * Zest : [Proxy default template.zst](https://github.com/zaproxy/zap-extensions/blob/main/addOns/zest/src/main/zapHomeFiles/scripts/templates/proxy/Proxy%20default%20template.zst)
 
-
-## Official Videos
-
-[ZAP In Ten: Proxy and HttpSender Scripts](https://play.sonatype.com/watch/4no8EY1iB8RdnQLPFpYi2a) (10:14)
-
diff --git a/targeted/README.md b/targeted/README.md
@@ -30,7 +30,3 @@ function invokeWith(msg) {
 * Jruby : [Targeted default template.rb](https://github.com/zaproxy/zap-extensions/blob/main/addOns/jruby/src/main/zapHomeFiles/scripts/templates/targeted/Targeted%20default%20template.rb)
 * Jython : [Targeted default template.py](https://github.com/zaproxy/zap-extensions/blob/main/addOns/jython/src/main/zapHomeFiles/scripts/templates/targeted/Targeted%20default%20template.py)
 * Zest : [Targeted default template.zst](https://github.com/zaproxy/zap-extensions/blob/main/addOns/zest/src/main/zapHomeFiles/scripts/templates/targeted/Targeted%20default%20template.zst)
-
-## Official Videos
-
-[ZAP In Ten: Targeted Scripts](https://play.sonatype.com/watch/JzX1YkJqdk7BYTMHikh433) (10:01)